General Security Checklist

Purpose/Discussion

The purpose of this section is to provide a checklist designed to assess the physical, operational, and administrative security posture of a Mission. Individual line items that are checked "No" should be documented in the comments section.

Audience

Risk Assessment Team Members
  

Physical Security

FireYESNO
Smoke & heat detectors  
Fire containment for important rooms (machine rooms)  
Fire extinguishers/systems  
No smoking policy near computer equipment  
Fireproof containers for computer media   
 
Lightning
Proper grounding and protection   
 
Environment
Temp control (AC)  
Humidity control  
Separate AC for computer rooms  
Alarms on temp/humidity control equip.  
Air filters  
Sensitive equipment placed away from vents  
 
Electricity
Clean electricity supply  
Uninterruptable Power Supply (delay time, usage time)   
Anti-static carpet  
Emergency Lighting  
 
Intruder
General security of computer rooms  
Dropped ceilings - computer room walls go all the way to the real ceiling  
Raised floors  
Air ducts inaccessible  
Windows locked/barred  
Telephone & network connections and routers physically protected  
Firewall functioning  
Dial-back modems for RAS  
Access to phone switch room restricted  
 
Intruder Alerts
Guards at critical entrances (main gate, ALL building entrances)   
After-Hours policy set and enforced  
Authentication of employees (ID badge check)   
Burglar alarms set in accordance with After-Hours policy   
Surveillance equipment 
Properly trained escorts for visitors  
 

Personnel Security

Vendor agreements to check their employees  
Public security policy (in writing easily available)   
Train employees to watch for suspicious activity  
Train supervisors to watch for possible employee problems  
Established security audit procedures  
Precautions against fired/leaving employees  
Explicit restrictions on resource usage  
Visitors log maintained for all personnel not authorized to be in the computer Room  
Access list and POC posted at the entrance to the central computer room  
 

Technical Security

One-time password or challenge response  
Tiger team password cracking  
Encryption of channels  
Shielding (electromagnetic interference)  
Firewalls  
Conduit protection of network wiring  
System audit trail reviewed for anomalies  
 

Administrative Security

US citizens with SECRET clearance appointed ISSO and alternate  
List of all equipment and software maintained and up-to-date  
User access privileges reviewed within the last 12 months  
All dial-in accounts and network connections authorized and accounted for  
Log maintained of requested/performed maintenance  
Up-to-date contingency plans in place  
Contingency plan successfully practiced or implemented within the last 12 Months  
Up-to-date disaster recovery and emergency action plans in place  
Disaster recovery and emergency action plan successfully practiced or implemented within the last 12 months  
All system users have received security awareness training within the last 12 Months and have signed a USAID AIS Access Agreement form  
 

Operations Security

Random security checks  
Identify critical/targeted data  
Established procedures for dealing with computer crime  
Established response team  
Practice drills for response team  
Policy for handling sensitive/confidential/trade-secret data  
Spot checks of trash for improperly disposed SBU  
Warn employees about industrial espionage (travel abroad)  

Comments: